Business entities must protect data they receive before it is transmitted to other components for processing. Business entities must also protect their data receiving devices from installing unverified changes in software.